Introduction

You may or may not know that privacy as we’ve known it is currently under an attack bigger than any the human race has ever seen before, other than perhaps the great flood. Companies like Facebook, Google, Microsoft, and most modern tech companies are recording as much about you as possible. Why? Because it makes them money. They’ve literally built up customized empires which track everything about you and then sell that information for advertising purposes. You know all of those customized ads that you see when you use Google, Facebook, Amazon, etc…? This is just one highly visible way that they do this. If you are a “yes man” or “yes woman” on your phone and just say yes to all of those annoying nag screens that ask for your permission, or have ever done that when you first set the phone up, then your every move is being tracked by these companies. They know where you are at all times, how much time you spend there to the point where they can make accurate estimations on where you work, where you live, who your boyfriend or girlfriend is, who your wife/husband is, how many kids you have, where they are at all times, where they go to school, who their friends are, etc…

Why this is bad (The problem)

First of all, that last sentence should already have you slightly concerned. Don’t worry, I’ll take care of the rest:

Social Engineering. It’s funny because “social engineering” is a big buzzword in modern-day hacking. Many of us have heard the story – hacker calls Nancy from Finance and claims to be Joe from the IT department, needing her to click a few things on her screen or enter her password, etc… Now the hacker has access to the entire network with permissions of Nancy.

What most people don’t realize is that sites like Facebook and Google are social engineering US; Yes, billions of us are being had right now. This is not a joke or exaggeration. In fact, if anything, it’s an understatement. They tell us the service is “free.” In reality, your privacy and everything about you is being sold in return for the so-called “free” service. So let’s discuss possible issues with the above:

The company policy itself

These firms take advantage of two things:

  1. They are big enough to offer seemingly “free” services that other, smaller companies cannot offer, enticing us into signing up
  2. They exploit a common misconception in human psyche which says: “Beggars can’t be choosers” and “can’t go wrong with free stuff!” This means that most people don’t even read the billion lines of the license agreement, privacy policy, and/or terms of service because they assume that its free anyway, so why bother. These documents are also written in such a way that may make them difficult to understand even if a layperson does read them. They know this. Do you really think this is all a coincidence?
  3. Having said that, actually, Facebook and Google are quite direct in saying that yes, everything you do is tracked, monitored, and used. Go look at their privacy policies yourself, you’ll be surprised. Also note that they frequently change, so there’s no point in me quoting them here.

Security Breaches

  1. These Companies are huge with thousands or even tens of thousands of employees. Do you really think a company that large can secure, or even keep track of all of its vulnerabilities and endpoints? Have you ever worked for a company that did?
  2. Assuming the company has your best interests in mind (which is never the case, they have their own best interests in mind… Specifically ones that make them the most cash), they could still have a security breach which leaks ALL of your and your loved ones’ sensitive information mentioned above (and more) into the hands of criminals. This could even be the literal keys to your car and even the ability to remotely control your house lighting, doors, vehicles, etc, depending on how “connected” you are and how much you’ve bought into the hype.

Social Engineering

Let’s go into more detail on this important point. Most of us haven’t quite realized how dangerous and powerful social engineering can be.

Hi, my name’s Joe Sullivan. I go by the nickname jsully82 on reddit, my email address is JoeSullivan@gmail.com and I have 2 daughters and a beautiful wife named Emily Sullivan. We’re a pretty typical family… We love beach vacations, my girls are all-stars on their soccer team, and my wife is a proud business owner.

Great. With just that information, I’m willing to bet within 5 minutes I can locate profile pages of Joe and his wife, pictures of his entire family, photos and/or videos of all of their interests, and perhaps even places they hang out. That’s all just done through basic Facebook, Google, Instagram, Pinterest, and perhaps LinkedIn searches. This is information that used to be kept in a tight-knit local community, in the minds and households of families and friends. Now, it’s public.

On top of that, I can find out who Joe knows, their interests, family and friends, where they went to school… Oh, they went to the same school as Joe and are the same age… Etc… The nodes of data begin to connect more and more, creating compound datasets that can be used to gain nearly every piece of information about Joe, his family, and friends… If he uses these services.

But that’s creepy right… Problem is, “creepy” earns people money. Creepy earns Facebook, Google, Amazon, Microsoft, HACKERS, your psycho ex boyfriend, and even the government money or in some cases, other satisfaction. So which wins? Joe’s feelings or his cash? You tell me.

The problem is, you are Joe. And so am I, and your friends, and my friends… Unless we’re completely disengaged with social media, use different usernames and emails at every website, use different unique, secure passwords at every site, and login from a different IP addresses and/or machines every time. Yeah… Didn’t think so.

Let’s dig just a little deeper before wrapping up. Joe and his family take photos using their Androids and iPhones which are backed up to Google Drive and iCloud, because it would be a shame to lose all of those beautiful, memorable family pics if someone lost or damaged their cell phone. Joe’s wife Emily also uses Gmail for her business email, and Joe uses his personal email to file taxes and handle other business with the government… Over a secured, encrypted connection of course.

Well, unfortunately, Google (or Apple or Microsoft, if you use their services instead) has access and uses the data in all email messages sent through it, all photos are now not only kept and backed up on their servers, but facial recognition software is tagging and labeling the faces, scanning all photos for the same facial signatures, etc… So just by hacking into ONE Google account, which is protected at the most by ONE password and a 2-factor authentication, an attacker could get:

  • Access to all websites that Joe associated with his Gmail address, especially those that haven’t upgraded to 2-factor auth. An attacker would also try the same password on these websites, and even if that didn’t work, they could simply do a password reset, create a new one, and break in
  • All of his family photos, even private ones
  • All private emails with social security numbers, bank numbers, passwords, and private emails between him and his wife
  • Access to “location data” including every place Joe has ever traveled while carrying his phone, which was hooked up to Google’s or Facebook’s services. In fact, there are even nice data analysis features which could show Joe’s “favorite places” that he frequents each week such as coffee shops, bars, libraries, where he runs and works out, where he takes his children, which school he picks them up and drops them off at
    etc… Complete with how often he goes, what time of day, and on which dates
  • Joe’s search history – Everything he’s ever typed into Google search
  • The apps and other services that Joe has purchased through any Google service, including Play Store and Google cart
  • All of Joe’s YouTube history

The sad part is I’ve actually left a lot of information off of this list… But that’s enough. With just the above info, Joe could be impersonated, attacked, his family could be put in harm’s way, but more likely, he could be socially engineered to do things in ways which exploit him as a person. He could be convinced to purchase services which exploit weaknesses in his personality. In fact, software could be programmed to target people like Joe with xyz patterns even, and do a lot worse things than simply put up some ads.

What can be done? (The solution)

The good news is, you can act RIGHT NOW and throw a monkey-wrench into the privacy-invading regime’s game. The answer is to start switching services. The less you use Google, Facebook, and the other big names, the more you take back your and your family’s privacy.

Step 1 – Use alternatives

Go look at this list that I’ve put together of alternative services which stand against tracking and saving your data, while still offering high-quality services.

Step 2 – Know who owns what

Every time you open an application or go to use a service (every time you unlock your phone or computer for the first few weeks starting NOW), ask yourself “Who owns this application?” The big tech companies have bought up so many of the smaller services that you may be thinking that you’re hiding from Facebook by using one of Facebook’s own services which was acquired, like Instagram, for example… Or you may think you’re hiding from Google on an Android, which is highly integrated with Google, since Google owns Android. When you don’t know about a service, chances are, it doesn’t respect your privacy and you need to go to https://en.wikipedia.org and find out who owns the application/service… Even I am surprised half the time because I don’t have the time to be keeping tabs on all of the acquisitions in tech every day.

This is especially true for phone apps. For example, don’t think you are “Google-freeing” your phone by having the YouTube app on it, or are using Chrome web browser, which are both owned by Google!

Step 3 – Don’t put all your eggs in one basket

This is one that may be more obvious. By spreading out your usage across different services, you make it much harder for a bad guy to attack you, assuming you are using separate login credentials for each service. Now, if Google’s servers get breached, but you’ve only been using Google Search but have been using ProtonMail for email, the bad guy will only get your search results but not your email… Or if ProtonMail has a leak or your PM gets hacked somehow but you use DuckDuckGo for search and mastodon for social media and use 2-factor authentication, the damage will be a lot more consolidated than if you use Google+, Gmail, and Google Search for everything.

Step 4 – Make sure your OS (macOS, Win 10, Linux, etc…) isn’t violating your privacy!

If you answered “yes” or left a bunch of boxes checked when you purchased and booted up your device for the first time, chances are, your operating system itself is logging everything you do and sending it to the manufacturer. For example, Windows 10 does this by default unless you specifically say no at first boot. If this is the case, by definition you must disable this or else no matter if you use TOR or any software above, your data will still be being compromised. Here is a link to an article on Windows 10Another source comes from Barnacules, a former Microsoft Operating System developer of 15 years. Thanks to him, I myself was spared this knowledge before I booted my own machine the first time.  I do not routinely use macOS so I cannot help with this but would love if a macOS privacy-aware reader would drop some info on this.

Final Notes

Note that this is not a direct assault on Facebook or Google and in fact, they are not even breaking the law. Technically, it is the users faults because we didn’t really read and agree to the terms of use before using. I also don’t want you to think that the message of this post is either all mainstream search engines and social media are bad or you should never, under any circumstances use Google. This is absolutely not true and I myself use Google every day. However, the point is that if you do choose to use these services, you need to make sure that it is a conscious decision and that you do not expose any private data to them that you wouldn’t give to random strangers. This is a goal worth striving for. That’s the bottom line.